Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Contact sales
Get started - it's free!
Log in
© 2025

Trust credentials

Trust credentials provide a framework for delegated and scoped access to the Tailscale API. A trust credential creates access tokens for scoped API access, instead of using a fully-permitted access token which expires after 90 days (or less if the fully-permitted access token has a shorter expiry). Trust credentials support the principle of least privilege by allowing fine-grained control on the access granted to the credential using scopes, unlike a fully-permitted access token which grants full access to the Tailscale API.

Trust credentials come in two forms: OAuth clients and OIDC workload identities. Information common to both forms is shared below.

Scopes

Our scopes have changed to have more granular permissions associated with each scope. The previous set of scopes can be found in the legacy scopes section.

Scopes define which operations are permitted in API access tokens that are created by your trust credentials.

In addition to the endpoints listed below, all scopes allow access to GET /api/v2/tailnet/:tailnet/keys/:keyID for the key in use.

You can use the following scopes in Tailscale trust credentials:

Scope IDDescriptionAllowed endpoints
all:readThe credential has read-only access to the tailnet. This scope is not restricted to only read access of APIs that existed at the time the credential was initially authorized—the all:read scope also grants read access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All *:read endpoints, even endpoints which did not exist when the credential was initially authorized.
  • GET /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
allThe credential has complete access to the tailnet. This scope is not restricted to only access of APIs that existed at the time the credential was initially authorized—the all scope also grants access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All endpoints, even endpoints which did not exist when the credential was initially authorized.
  • GET, DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
dns:readThe credential has access to read DNS settings.
  • GET /api/v2/tailnet/:tailnet/dns/nameservers
  • GET /api/v2/tailnet/:tailnet/dns/preferences
  • GET /api/v2/tailnet/:tailnet/dns/searchpaths
  • GET /api/v2/tailnet/:tailnet/dns/split-dns
dnsThe credential has access to read and manipulate DNS settings.

  • Endpoints from dns:read

  • POST /api/v2/tailnet/:tailnet/dns/nameservers
  • POST /api/v2/tailnet/:tailnet/dns/preferences
  • POST /api/v2/tailnet/:tailnet/dns/searchpaths
  • PATCH, PUT /api/v2/tailnet/:tailnet/dns/split-dns
policy_file:read

The credential has access to read and validate the tailnet policy file. devices:posture_attributes:read and devices:core:read are required when using this scope.

  • GET /api/v2/tailnet/:tailnet/acl
  • POST /api/v2/tailnet/:tailnet/acl/preview
  • POST /api/v2/tailnet/:tailnet/acl/validate
policy_file

The credential has access to read, validate, and modify the tailnet policy file. devices:posture_attributes and devices:core:read are required when using this scope.

  • Endpoints from policy_file:read

  • POST /api/v2/tailnet/:tailnet/acl
users:readThe credential has access to read user information.
  • GET /api/v2/tailnet/:tailnet/users
  • GET /api/v2/user/:userID
usersThe credential has access to read user information, modify user roles, and handle user approval, suspension, deletion, and restoration.

  • Endpoints from user:read

  • POST /api/v2/user/:userID/role
  • POST /api/v2/user/:userID/approve
  • POST /api/v2/user/:userID/suspend
  • POST /api/v2/user/:userID/restore
  • POST /api/v2/user/:userID/delete
devices:core:readThe credential has access to read devices in the tailnet.
  • GET /api/v2/tailnet/:tailnet/devices
  • GET /api/v2/device/:deviceID
devices:core

The credential has access to read the list of all devices in the tailnet, authorize or remove machines, and manipulate tags on devices. You must select one or more tags when you create a credential with the devices:core scope. Auth keys created with this credential must have those exact tags, or tags owned by the credential's tags

  • Endpoints from devices:core:read

  • DELETE /api/v2/device/:deviceID
  • POST /api/v2/device/:deviceID/authorized
  • POST /api/v2/device/:deviceID/expire
  • POST /api/v2/device/:deviceID/ip
  • POST /api/v2/device/:deviceID/name
  • POST /api/v2/device/:deviceID/key
  • POST /api/v2/device/:deviceID/tags
devices:posture_attributes:readThe credential has access to read device posture attributes.
  • GET /api/v2/device/:deviceID/attributes
  • GET /api/v2/device/:deviceID/attributes/:attributeKey
devices:posture_attributes

The credential has access to manipulate and read device posture attributes.

  • Endpoints from devices:posture_attributes:read

  • POST, DELETE /api/v2/device/:deviceID/attributes
  • POST, DELETE /api/v2/device/:deviceID/attributes/:attributeKey
devices:routes:readThe credential has access to read subnet router settings and exit node settings.
  • GET /api/v2/device/:deviceID/routes
devices:routesThe credential has access to read or modify subnet router settings, approve and revoke subnet routes, and approve and revoke exit nodes.

  • Endpoints from devices:routes:read

  • POST /api/v2/device/:deviceID/routes
devices_invites:readThe credential has access to read device invites.
  • GET /api/v2/device/:deviceID/device-invites
  • GET /api/v2/device-invites/:deviceInviteID
devices_invitesThe credential has access to read or modify device invites.

  • Endpoints from device_invites:read

  • GET /api/v2/device/:deviceID/device-invites
  • GET, DELETE /api/v2/device-invites/:deviceInviteID
api_access_tokens:readThe credential has access to read API access tokens.

  • GET /api/v2/tailnet/:tailnet/keys (for API access tokens)

  • GET /api/v2/tailnet/:tailnet/keys/:keyID (for API access tokens)

api_access_tokensThe credential has access to read or modify API access tokens.

  • Endpoints from api_access_tokens:read

  • DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for API access tokens)

auth_keys:readThe credential has access to read auth keys.

  • GET /api/v2/tailnet/:tailnet/keys (for auth keys)

  • GET /api/v2/tailnet/:tailnet/keys/:keyID (for auth keys)

auth_keysThe credential has access to read or modify auth keys.

  • Endpoints from auth_keys:read

  • POST /api/v2/tailnet/:tailnet/keys (for auth keys)

  • DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for auth keys)

oauth_keys:readThe credential has access to read OAuth credentials and keys.

  • GET /api/v2/tailnet/:tailnet/keys/:keyID (only OAuth credentials and OAuth keys)

oauth_keysThe credential has access to read or modify OAuth credentials and keys.

  • Endpoints from oauth_keys:read

  • DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for OAuth credentials and OAuth keys)

webhooks:readThe credential has access to read webhooks.
  • GET /api/v2/tailnet/:tailnet/webhooks
  • GET /api/v2/webhooks/:endpointID
webhooksThe credential has access to read, modify, and test webhooks and to rotate webhook secrets.

  • Endpoints from webhooks:read

  • POST /api/v2/tailnet/:tailnet/webhooks
  • PATCH, DELETE /api/v2/webhooks/:endpointID
  • POST /api/v2/webhooks/:endpointID/test
  • POST /api/v2/webhooks/:endpointID/rotate
log_streaming:readThe credential has access to read log streaming configurations and their status.
  • GET /api/v2/tailnet/:tailnet/logging/:logType/stream
  • GET /api/v2/tailnet/:tailnet/logging/:logType/status
log_streaming

The credential has access to read or modify log streaming configurations and check their status. device_invites and policy_file are required when configuring log streaming to a private endpoint.

  • Endpoints from logstreaming:read

  • PUT, DELETE /api/v2/tailnet/:tailnet/logging/:logType/stream
logs:configuration:readThe credential has access to read configuration audit logs.
  • GET /api/v2/tailnet/:tailnet/logging/configuration
logs:network:readThe credential has access to read network flow logs.
  • GET /api/v2/tailnet/:tailnet/logging/network
  • GET /api/v2/tailnet/:tailnet/settings
logs:networkThe credential has access to read network flow logs and modify their settings.

  • Endpoints from logs:network:read

  • PATCH /api/v2/tailnet/:tailnet/settings (for network logging only)

account_settings:readThe credential has access to read tailnet contacts.
  • GET /api/v2/tailnet/:tailnet/contacts
account_settingsThe credential has access to read or modify tailnet contacts, and to resend verification emails.

  • Endpoints from account_settings:read

  • PATCH /api/v2/tailnet/:tailnet/contacts/:contactType
  • POST /api/v2/tailnet/:tailnet/contacts/:contactType/resend-verification-email
feature_settings:readThe credential has access to read posture integrations and tailnet feature settings.
  • GET /api/v2/tailnet/:tailnet/posture/integrations
  • GET /api/v2/posture/integrations/:integrationID
  • GET /api/v2/tailnet/:tailnet/settings
feature_settingsThe credential has access to read or modify posture integrations and tailnet feature settings.

  • Endpoints from feature_settings:read

  • POST /api/v2/tailnet/:tailnet/posture/integrations
  • PATCH, DELETE /api/v2/posture/integrations/:integrationID
  • PATCH /api/v2/tailnet/:tailnet/settings

When new Tailscale functionality is provided, we will add it to existing scopes where applicable. That means a scope is not restricted to only access of APIs that existed at the time the credential was initially authorized—a scope will contain additional access where it makes sense for new or updated functionality.

You can find documentation for the Tailscale API on our website

Revoke a trust credential

  1. Open the Trust credentials page of the admin console.

  2. Find the credential that you want to delete and select Revoke.

  3. Select Revoke to confirm you want to revoke the credential.

When you revoke a trust credential, any active API access tokens that the credential created are also revoked.

Audit logging of API access token creation

In configuration audit logging, creating an access token records the action in your audit log. The log entry shows the trust credential's Client ID as the actor. It also includes the time when the API access token was created.

If you believe your trust credential has been compromised, revoke the trust credential (and set up a new credential when you're ready). Review the configuration audit logs to check whether and how the credential and API access tokens were used during the period of compromise.

Legacy scopes

As of November 14, 2024 new trust credentials will use the scopes listed in the scopes section. Existing trust credentials using the below scopes, and keys generated using these credentials, are still valid.

Scopes define the permissions granted to API access tokens created by your credential application.

You can use the following scopes in Tailscale trust credentials:

Scope IDDescriptionAllowed endpoints
allThe credential has complete access to the tailnet. This scope is not restricted to only access of APIs that existed at the time the credential was initially authorized—the all scope also grants access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All endpoints, even endpoints which did not exist when the credential was initially authorized.
  • /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
all:readThe credential has read-only access to the tailnet. This scope is not restricted to only read access of APIs that existed at the time the credential was initially authorized—the all:read scope also grants read access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All endpoints, even endpoints which did not exist when the credential was initially authorized.
  • /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
aclThe credential has access to read and modify the tailnet policy file.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/tailnet/:tailnet/acl
  • /api/v2/tailnet/:tailnet/acl/preview
  • /api/v2/tailnet/:tailnet/acl/validate

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

  • /api/v2/device/:deviceID/attributes
  • /api/v2/device/:deviceID/attributes/:attributeKey
acl:readThe credential has access to read and validate the tailnet policy file.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/tailnet/:tailnet/acl
  • /api/v2/tailnet/:tailnet/acl/preview
  • /api/v2/tailnet/:tailnet/acl/validate

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

  • /api/v2/device/:deviceID/attributes
devices

The credential has access to read the list of devices in the tailnet, authorize or remove machines, create auth keys, and manipulate tags and attributes on devices. You must select one or more tags when you create a credential with the devices scope. Auth keys created with this credential must have those exact tags, or tags owned by the credential's tags

  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID
  • /api/v2/device/:deviceID/attributes
  • /api/v2/device/:deviceID/attributes/:attributeKey
  • /api/v2/device/:deviceID/authorized
  • /api/v2/device/:deviceID/key
  • /api/v2/device/:deviceID/tags

  • /api/v2/tailnet/:tailnet/keys (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/* (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

devices:readThe credential has access to read the list of devices, auth keys, attributes, and tags in the tailnet.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID
  • /api/v2/device/:deviceID/attributes
  • /api/v2/device/:deviceID/key
  • /api/v2/device/:deviceID/tags

  • /api/v2/tailnet/:tailnet/keys (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/* (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

dnsThe credential has access to read and manipulate DNS settings.
  • /api/v2/tailnet/:tailnet/dns/*

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

dns:readThe credential has access to read DNS settings.
  • /api/v2/tailnet/:tailnet/dns/*

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

routesThe credential has access to read or modify subnet router settings, approve and revoke subnet routes, and approve and revoke exit nodes.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID/routes

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

routes:readThe credential has access to read subnet router settings and exit node settings.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID/routes

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

logs:readThe credential has access to read configuration audit logs.
  • /api/v2/tailnet/:tailnet/logs

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

network-logs:readThe credential has access to read network flow logs.
  • /api/v2/tailnet/:tailnet/network-logs
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

Legacy scope equivalents

The following table maps legacy scope IDs to the newer equivalents.

Legacy scope IDNew scope ID
devices (for creating authentication keys)auth_keys
devices (for device posture attributes)devices:posture_attributes
devices (for managing device lifecycle and properties)devices:core
routesdevices:routes
aclpolicy_file
logslogs:configuration
network-logslogs:network

Last updated